The Tanzu Core CLI project provides the core functionality of the Tanzu CLI. The CLI is based on a plugin architecture where CLI command functionality can be delivered through independently developed plugin binaries
To use registries that require authentication to host Tanzu CLI Plugins images users are expected to do the following:
Use docker login <registry> or crane auth login <registry> to authenticate with the registry
Specify environment variable TANZU_CLI_AUTHENTICATED_REGISTRY=<registry>. By specifying this environment variable, Tanzu CLI will use the default authentication mechanism instead of using Anonymous access to fetch images.
Pending
Add E2E tests
Which issue(s) this PR fixes
Fixes #
Describe testing done for PR
Start local authenticated registry for testing
# Start local registry at `localhost:5001`
$ make start-test-central-repo
Start local registry requiring authentication at localhost:6002
$ tz plugin source update default -u localhost:6002/test/plugins/airgapped:small
[i] Refreshing plugin inventory cache for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds.
[x] : unable to fetch the inventory of discovery 'default' for plugins: plugins discovery image resolution failed. Please check that the repository image URL "localhost:6002/test/plugins/airgapped:small" is correct: error getting the image digest: GET http://localhost:6002/v2/test/plugins/airgapped/manifests/small: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:test/plugins/airgapped Type:repository]]
* Authenticate with the registry with (`docker login` or `crane auth login`) and try again
$ tz plugin source update default -u localhost:6002/test/plugins/airgapped:small
[i] Refreshing plugin inventory cache for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds.
[i] Reading plugin inventory for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds.
[!] Skipping the plugins discovery image signature verification for "localhost:6002/test/plugins/airgapped:small"
[ok] updated discovery source default
$ tz plugin search
[i] The tanzu cli essential plugins are outdated and are being updated now. The update may take a few seconds.
[i] Installing plugins from plugin group 'vmware-tanzucli/essentials:v9.9.9'
[i] Installed plugin 'telemetry:v9.9.9' with target 'global'
NAME DESCRIPTION TARGET LATEST
account account functionality mission-control v9.9.9
cluster cluster functionality kubernetes v9.9.9
clustergroup clustergroup functionality operations v9.9.9
isolated-cluster isolated-cluster functionality global v9.9.9
plugin-with-sha plugin-with-sha functionality global v9.9.9
telemetry telemetry functionality global v9.9.9
<!-- Example: Created vSphere workload cluster to verify change. -->
### Release note
<!--
Please add a short text (limit to 1 to 2 sentences if possible) in the release-note block below if
there is anything in this PR that is worthy of mention in the next release.
See https://github.com/vmware-tanzu/tanzu-cli/blob/main/docs/release/release-notes.md#does-my-pull-request-need-a-release-note
for more details.
-->
```release-note
Add support for the Authenticated Registry to host Tanzu CLI plugin images
What this PR does / why we need it
docker login <registry>orcrane auth login <registry>to authenticate with the registryTANZU_CLI_AUTHENTICATED_REGISTRY=<registry>. By specifying this environment variable, Tanzu CLI will use the default authentication mechanism instead of usingAnonymousaccess to fetch images.Pending
Which issue(s) this PR fixes
Fixes #
Describe testing done for PR
Start local registry requiring authentication at
localhost:6002$ make start-airgapped-local-registry
$ tz plugin download-bundle --to-tar /tmp/plugins.tar.gz --image localhost:9876/tanzu-cli/plugins/airgapped:small ... [i] saving plugin bundle at: /tmp/plugins.tar.gz
$ tz plugin upload-bundle --tar /tmp/plugins.tar.gz --to-repo localhost:6002/test/plugins [i] extracting "/tmp/plugins.tar.gz" for processing... [i] --------------------------- [i] uploading image "localhost:6002/test/plugins/airgapped" [i] copy | importing 2 images...
[i] copy | copy | done uploading images [i] copy | Error: Error uploading images: HEAD http://localhost:6002/v2/test/plugins/airgapped/manifests/sha256-b3e204740c44151562050f9f5b839386231c135a7cde944f150bca0503cbeb8f.imgpkg: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details) [x] : error while uploading image: HEAD http://localhost:6002/v2/test/plugins/airgapped/manifests/sha256-b3e204740c44151562050f9f5b839386231c135a7cde944f150bca0503cbeb8f.imgpkg: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)
$ docker login localhost:6002 Username: testuser Password: Login Succeeded
$ tz plugin upload-bundle --tar /tmp/plugins.tar.gz --to-repo localhost:6002/test/plugins ... [i] successfully published all plugin images to "localhost:6002/test/plugins/airgapped:small"
$ docker logout localhost:6002 Removing login credentials for localhost:6002
export TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_VERIFICATION_SKIP_LIST=localhost:6002/test/plugins/airgapped:small export TANZU_CLI_AUTHENTICATED_REGISTRY=localhost:6002/test/plugins/airgapped:small
$ tz plugin source update default -u localhost:6002/test/plugins/airgapped:small [i] Refreshing plugin inventory cache for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds. [x] : unable to fetch the inventory of discovery 'default' for plugins: plugins discovery image resolution failed. Please check that the repository image URL "localhost:6002/test/plugins/airgapped:small" is correct: error getting the image digest: GET http://localhost:6002/v2/test/plugins/airgapped/manifests/small: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:test/plugins/airgapped Type:repository]]
$ docker login localhost:6002 Username: testuser Password: Login Succeeded
$ tz plugin source update default -u localhost:6002/test/plugins/airgapped:small [i] Refreshing plugin inventory cache for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds. [i] Reading plugin inventory for "localhost:6002/test/plugins/airgapped:small", this will take a few seconds. [!] Skipping the plugins discovery image signature verification for "localhost:6002/test/plugins/airgapped:small"
[ok] updated discovery source default
$ tz plugin search [i] The tanzu cli essential plugins are outdated and are being updated now. The update may take a few seconds. [i] Installing plugins from plugin group 'vmware-tanzucli/essentials:v9.9.9' [i] Installed plugin 'telemetry:v9.9.9' with target 'global'
NAME DESCRIPTION TARGET LATEST account account functionality mission-control v9.9.9 cluster cluster functionality kubernetes v9.9.9 clustergroup clustergroup functionality operations v9.9.9 isolated-cluster isolated-cluster functionality global v9.9.9 plugin-with-sha plugin-with-sha functionality global v9.9.9 telemetry telemetry functionality global v9.9.9
$ tz plugin install account [i] Installed plugin 'account:v9.9.9' with target 'mission-control' [ok] successfully installed 'account' plugin
Additional information
Special notes for your reviewer